package cn.echoedu.filter;

import static cn.echoedu.constants.Code.CONTACTS_LIST;
import static cn.echoedu.constants.Code.HOT_CONTACTS_LIST;
import static cn.echoedu.constants.Code.LOGIN;
import static cn.echoedu.constants.Code.REGISTER;

import java.io.IOException;
import java.util.Iterator;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import cn.echoedu.util.HttpUtil;
import cn.echoedu.util.L;

import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;

public class SafeFilter implements Filter{
		
	   private boolean hasreaded=false;
	   private final int CODEERROR=-1;
	   private String jsonstr="";
	   private String inj_str = "'|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|;|or|-|+|,";  
	   protected FilterConfig filterConfig = null;  
	   /** 
	   * Should a character encoding specified by the client be ignored? 
	   */  
	   protected boolean ignore = true;  
	   public void init(FilterConfig config) throws ServletException {  
		   
	   }  
	   public void doFilter(ServletRequest request, ServletResponse response,  
	   FilterChain chain) throws IOException, ServletException {  
		   if(LOGIN==getCode(request)){
				L.p("放sql注入");
				 HttpServletRequest req = (HttpServletRequest)request;  
				   HttpServletResponse res = (HttpServletResponse)response;  
				   
				   if(getUsernum(request)!=null){  
				   //TODO这里发现sql注入代码的业务逻辑代码  
					   System.out.println(getUsernum(request));
					  if(!(sql_inj(getUsernum(request)))){
						  System.out.println("---->"+getUsernum(request));
						  System.out.println("----->"+sql_inj(getUsernum(request)));
						  return;
					  }else{
						  if(!(sql_inj(getPassword(request)))){
							  System.out.println("---->"+getPassword(request));
							  System.out.println("----->"+sql_inj(getPassword(request)));
							  return;
						  }
					  }
					   
				   } 
				chain.doFilter(request, response);
			}else{
				
			}
	   chain.doFilter(request, response);  
	   } 
	  
	   private  JsonElement getJsonElement(ServletRequest request){
			if(!hasreaded){
				jsonstr=HttpUtil.readJSONString(request);
			}
			return new JsonParser().parse(jsonstr);
		}
	   
	   private int getCode(ServletRequest request){
			JsonObject jsonobject=getJsonElement(request).getAsJsonObject();
			JsonElement codeelement=jsonobject.get("code");
			if(codeelement==null){
				return CODEERROR;
			}
			return codeelement.getAsInt();
		}
	   private String getUsernum(ServletRequest request) {
		   JsonObject jsonobject=getJsonElement(request).getAsJsonObject();
			JsonElement codeelement=jsonobject.get("user_number");
			if(codeelement==null){
				return null;
			}
			return codeelement.getAsString();
	}
	   
	   private String getPassword(ServletRequest request) {
		   JsonObject jsonobject=getJsonElement(request).getAsJsonObject();
			JsonElement codeelement=jsonobject.get("password");
			if(codeelement==null){
				return null;
			}
			return codeelement.getAsString();
	}
	   
	   public boolean sql_inj(String str)  
	   {  
	   String[] inj_stra=inj_str.split("\\|");
	   
	   for (int i=0 ; i < inj_stra.length ; i++ )  
	   {  
		   System.out.println("------->>>>"+inj_stra[i]);
	   if (inj_stra[i].contains(str))  
	   {  
	   return false;  
	   }  
	   }  
	   return true;  
	   }
	public void destroy() {
		
	}
	
}
